Having some strange issues with SSL connection with DW 0.6.2

[Nick Zhu]

Hi guys,

I have a REST API app that's build on top of DW 0.6.2.

For testing purposes I'm using the legacy+ssl, and the provided SSL certificate keystore that's on the DW github repo.

I also have a javascript that issues a simple XmlHttpRequest and reads data from my endpoint like this (https://localhost:8080/hello)

This has been working fine until recently, when I added some authorization scheme on server side.

Basically, when I issue the XmlHttpRequest in javascript, I do this:

xmlhttp.open("GET","https://localhost:8080/hello",true);

xmlhttp.setRequestHeader("Authorization, "authorize");

xmlhttp.send();

However, it looks like the request never actually hits the resource endpoint, and in the logs I keep getting:

DEBUG [2013-12-16 07:32:54,923] org.eclipse.jetty.io.nio.ssl: 

! javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

! at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.7.0_40]

! at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619) ~[na:1.7.0_40]

! at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1587) ~[na:1.7.0_40]

! at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1517) ~[na:1.7.0_40]

! at org.eclipse.jetty.io.nio.SslConnection.closeInbound(SslConnection.java:435) [jetty-io-8.1.10.v20130312.jar:8.1.10.v20130312]

! at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:409) [jetty-io-8.1.10.v20130312.jar:8.1.10.v20130312]

The strange thing is when I switch back to HTTP instead of HTTPS, this javascript code will work, so I'm guessing it has smething to do with the SSL. However,  if there is no Authorization header, this all works fine on both HTTPS and HTTP, so I don't really know what's going on here.

(I'm 95% sure it's not cross-origin issue, I've already added the CrossOriginFilter and followed the config for allowing Authorization header)

Any help/suggestions would be appreciated.

Thanks so much!

Nick

[Nick Zhu]

- Update

It looks like if I --disable-web-security in Chrome the script works, so I wonder if it's some web security policy problem....

However looking at the logs I don't even see the request making it to the CrossOriginFilter at all. Hmm..

[Nick Zhu]

Nvm. It was because my ssl certificate was self signed, and Chrome doesn't like that. Manually adding the certificate to the trusted group solved the problem.

On Sunday, December 15, 2013 11:44:57 PM UTC-8, Nick Zhu wrote:

[Sergey Polovko]

Not for Ad, but for the information. You can generate a signed certificate at http://www.startssl.com/?app=1 and it is free.

--

Sergey Polovko

http://jamel.org

2013/12/17 Nick Zhu <nick...@gmail.com>

--
You received this message because you are subscribed to the Google Groups "dropwizard-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dropwizard-us...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.